caucase.tests: Work around cryptography breakage on >28bits OIDs.

As seen at least on cryptography 35.0.0 . Ideally this should be on a 63 or 64bits cutoff, but somehow the breakage is a lot lower. Bug reported upstream: https://github.com/pyca/cryptography/issues/6573

caucase.tests: Work around cryptography breakage on >28bits OIDs.
As seen at least on cryptography 35.0.0 . Ideally this should be on a 63 or 64bits cutoff, but somehow the breakage is a lot lower. Bug reported upstream: https://github.com/pyca/cryptography/issues/6573
83583e8b · Vincent Pelletier · 13684357 · 83583e8b · 83583e8b
Commit 83583e8b authored Nov 09, 2021 by Vincent Pelletier
Hide whitespace changes
Inline Side-by-side

Showing with 70 additions and 9 deletions

caucase/ca.py caucase/ca.py +1 -1

caucase/test.py caucase/test.py +69 -8

No files found.
--- a/caucase/ca.py
+++ b/caucase/ca.py
@@ -450,7 +450,7 @@ class CertificateAuthority(object):
      for policy in certificate_policies.value:
        if policy.policy_identifier.dotted_string.startswith(
          utils.CAUCASE_LEGACY_OID_TOP
-        ):
+        ): # pragma: no cover
          # Always migrate CAUCASE_LEGACY_OID_TOP to CAUCASE_OID_TOP
          # by copying current policy and replacing its prefix to the new
          # OID prefix

--- a/caucase/test.py
+++ b/caucase/test.py
@@ -87,7 +87,60 @@ from caucase.storage import SQLite3Storage
 _cryptography_backend = default_backend()
-NOT_CAUCASE_OID = '2.25.285541874270823339875695650038637483518'
+def _getTestOID():
+  """
+  Some cryptography versions do not tolerate large OIDs. Detect these here.
+  """
+  LONG_UUID = 285541874270823339875695650038637483518
+  LONG_OID = '2.25.%i' % (LONG_UUID, )
+  # XXX: this is not a compliant use of the 2.25 OID subtree
+  SHORT_OID = '2.25.%i' % (LONG_UUID & (2**28 - 1), )
+  test_private_key = utils.generatePrivateKey(key_len=2048)
+  def makeAndLoadCSR(oid):
+    """
+    Make a CSR with a policy extension for given OID.
+    """
+    extension = x509.CertificatePolicies([
+      x509.PolicyInformation(
+        x509.oid.ObjectIdentifier(oid),
+        None,
+      )
+    ])
+    csr_pem = utils.dump_certificate_request(
+      x509.CertificateSigningRequestBuilder(
+        subject_name=x509.Name([
+          x509.NameAttribute(oid=x509.oid.NameOID.COMMON_NAME, value=u'test'),
+        ]),
+      ).add_extension(
+        extension,
+        critical=False,
+      ).sign(
+        private_key=test_private_key,
+        algorithm=utils.DEFAULT_DIGEST_CLASS(),
+        backend=_cryptography_backend,
+      )
+    )
+    # cryptography may succeed in serialising the CSR, but may fail when
+    # loading it and accessing extensions.
+    _ = x509.load_pem_x509_csr(
+      csr_pem,
+      _cryptography_backend,
+    ).extensions.get_extension_for_class(
+      extension.__class__,
+    )
+  # sanity check
+  makeAndLoadCSR(SHORT_OID)
+  try:
+    # actual verification
+    makeAndLoadCSR(LONG_OID)
+  except ValueError: # pragma: no cover
+    return (False, SHORT_OID)
+  return (True, LONG_OID) # pragma: no cover
+(
+  _HAS_LONG_OID_SUPPORT,
+  NOT_CAUCASE_OID,
+) = _getTestOID()
+del _getTestOID
 A_YEAR_IN_SECONDS = 60 * 60 * 24 * 365 # Roughly a year
 if sys.version_info[0] >= 3: # pragma: no cover
@@ -1458,11 +1511,7 @@ class CaucaseTest(TestCase):
      x509.IPAddress(ipaddress.IPv4Network(u'127.0.0.0/8')),
      x509.IPAddress(ipaddress.IPv6Network(u'::/64')),
    ])
-    requested_policies = x509.CertificatePolicies([
+    policy_list = [
-      x509.PolicyInformation(
-        x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
-        None,
-      ),
      x509.PolicyInformation(
        x509.oid.ObjectIdentifier(utils.CAUCASE_OID_RESERVED),
        None,
@@ -1471,7 +1520,15 @@ class CaucaseTest(TestCase):
        x509.oid.ObjectIdentifier(NOT_CAUCASE_OID),
        None,
      ),
-    ])
+    ]
+    if _HAS_LONG_OID_SUPPORT: # pragma: no cover
+      policy_list.append(
+        x509.PolicyInformation(
+          x509.oid.ObjectIdentifier(utils.CAUCASE_LEGACY_OID_RESERVED),
+          None,
+        ),
+      )
+    requested_policies = x509.CertificatePolicies(policy_list)
    expected_policies = x509.CertificatePolicies([
      x509.PolicyInformation(
        x509.oid.ObjectIdentifier(NOT_CAUCASE_OID),
@@ -3481,7 +3538,11 @@ class CaucaseTest(TestCase):
    self.assertEqual(os.stat(self._server_db).st_mode & 0o777, 0o600)
    self.assertEqual(os.stat(self._server_key).st_mode & 0o777, 0o600)
-  def testOidMigration(self):
+  @unittest.skipIf(
+    not _HAS_LONG_OID_SUPPORT,
+    'cryptography version lacks >64bits OID support, migration is impossible',
+  )
+  def testOidMigration(self): # pragma: no cover
    """Tests OID migration
       Monkey patches caucase.utils in order to create user certificate